[Esapi-user] [Esapi-dev] What can I do next for ESAPI?

Kevin W. Wall kevin.w.wall at gmail.com
Sun Aug 8 22:07:58 EDT 2010

Jim Manico wrote:
> I think modularization and documentation are the 2 most important
> issues to address after ESAPI 2.0 is a production release.
> Perhaps we could start simple - like just splitting the core and
> the reference implementation? That's tricky enough.
> Why do we need DI? Do we need a major re-write?

Maybe I took this the wrong way. I don't think that we need
dependency injection just to separate into esapi-core and
esapi-reference jars. I think we can do that w/out DI.
But I am skeptical of how useful that really will be.

IMO, the bread & butter of ESAPI is its input validation and
encoders. I think that 80% of the ESAPI community are going to
use those things as-is. They are just too complicated to do it
yourself and besides they are (IMHO) first rate and so there
is little reason to replace them. (Extend, perhaps, but developers
using ESAPI are not likely to replace them.)

The things that most developers using ESAPI, will replace will
be the reference model for User and for Authenticator.  But if
all we have is esapi-core and esapi-reference jars, the it will
only be the 20% or so who would be using these interfaces and
not the rest of ESAPI. And frankly, if that's what your plan
is, chances are you are not going to bother with ESAPI in
the first place. Instead, they would look to some other
security class library, such as Acegi Security (especially
if they are using Spring).

So, bottom line...I don't think separating into simply TWO
ESAPI jars is likely to help much, *except as* a prerequisite
exercise for latter splitting things in a more granular, logical


Kevin W. Wall
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We cause accidents."        -- Nathaniel Borenstein, co-creator of MIME

More information about the Esapi-user mailing list